IETF Logo Mail Archive

Re: [i2rs] Review comments to draft-mglt-i2rs-security-environment-reqs-00 (was RE: draft-mglt-i2rs-security-requirements-00 2 Week WG adoption call (8/17 to 8/31)

Andy Bierman <andy@yumaworks.com> Mon, 24 August 2015 18:02 UTC

Return-Path: <andy@yumaworks.com>
X-Original-To: i2rs@ietfa.amsl.com
Delivered-To: i2rs@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 474A91A003B for <i2rs@ietfa.amsl.com>; Mon, 24 Aug 2015 11:02:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4zBDANPhawHG for <i2rs@ietfa.amsl.com>; Mon, 24 Aug 2015 11:02:45 -0700 (PDT)
Received: from mail-lb0-f172.google.com (mail-lb0-f172.google.com [209.85.217.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC5431A1B19 for <i2rs@ietf.org>; Mon, 24 Aug 2015 11:02:44 -0700 (PDT)
Received: by lbbpu9 with SMTP id pu9so84985538lbb.3 for <i2rs@ietf.org>; Mon, 24 Aug 2015 11:02:43 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=xTJevIxklr7PHW8/4MuAQyuh3zI/2qKNJ3ZkFBL2WHA=; b=CPWg7MGl75go6DQd5qAQMXT7j4vNShppfEeESEzYES82RbtjwlN2HrVfTODKbGZlW3 OY9KqIV/undlJZ80zV6qoHEQQ9+O98Cq244bnQ83qRyZ9eRf5oABoHdDuMvAWT9lnAe+ TzM2nKu8Q3bjpwu592QLKM/HB7PsuQyjR4mf4wkOApjVhPfwo5zt8XMhbkcDobY+AcYl kNYQ3fYdu5cp0vkafaK3kXZ9bwtJ9JuZ/1KQRYUsnUu2l8bUWs7fmt/jDSxDacFYA97P MdjUCGN64JnuRgcv43QLf5UTwrHLnBxkb3ryDhZNHD2peN8v59mbx94BDeNLYb8wfyVY 4QwQ==
X-Gm-Message-State: ALoCoQm2j3WlOzanEKjMWK4GonhIQy/QDQjOCrQoGv9TKt/VPtvkOtcKTu5ase6/zFAeaWcC4vjF
MIME-Version: 1.0
X-Received: by 10.112.154.106 with SMTP id vn10mr21574528lbb.38.1440439363240; Mon, 24 Aug 2015 11:02:43 -0700 (PDT)
Received: by 10.112.200.104 with HTTP; Mon, 24 Aug 2015 11:02:43 -0700 (PDT)
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F657D173F6@dfweml701-chm>
References: <01a801d0d915$1558b4e0$400a1ea0$@ndzh.com> <4A95BA014132FF49AE685FAB4B9F17F657D1422E@dfweml701-chm> <55D7494B.1090903@joelhalpern.com> <4A95BA014132FF49AE685FAB4B9F17F657D158B0@dfweml701-chm> <55D75DAD.6040604@joelhalpern.com> <4A95BA014132FF49AE685FAB4B9F17F657D173F6@dfweml701-chm>
Date: Mon, 24 Aug 2015 11:02:43 -0700
Message-ID: <CABCOCHRGMTQWTneddfZPC+d8t2wBAdEM6-j9NmLsgf6rTVmsjg@mail.gmail.com>
From: Andy Bierman <andy@yumaworks.com>
To: Linda Dunbar <linda.dunbar@huawei.com>
Content-Type: multipart/alternative; boundary="089e0122af2a911d32051e126c51"
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2rs/R2-yTLtRJUxSWL_umykblRkAfYk>
Cc: Jeffrey Haas <jhaas@pfrc.org>, "i2rs@ietf.org" <i2rs@ietf.org>, "daniel.migault@ericsson.com" <daniel.migault@ericsson.com>, "Joel M. Halpern" <jmh@joelhalpern.com>, Alia Atlas <akatlas@gmail.com>
Subject: Re: [i2rs] Review comments to draft-mglt-i2rs-security-environment-reqs-00 (was RE: draft-mglt-i2rs-security-requirements-00 2 Week WG adoption call (8/17 to 8/31)
X-BeenThere: i2rs@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Interface to The Internet Routing System \(IRS\)" <i2rs.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2rs>, <mailto:i2rs-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2rs/>
List-Post: <mailto:i2rs@ietf.org>
List-Help: <mailto:i2rs-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2rs>, <mailto:i2rs-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2015 18:02:50 -0000

Hi,

I will leave it to the Security ADs to decide whether a non-secure transport
for I2RS should be standardized.

The "lean" I2RS seems to be a proprietary controller and agent
with no multi-headed control support. This will almost certainly
mean that the router will not work if any "unofficial"
controller is used instead of the vendor controller.

If this really is the expected usage then why bother with a standard?


Andy

On Mon, Aug 24, 2015 at 10:37 AM, Linda Dunbar <linda.dunbar@huawei.com>
wrote:

> Joel,
>
> Agree with you that “we don’t need to build different protocol stacks for
> the different deployments”.
> But the “environment-req” draft is not about “Protocol”, but about
> security issues under different “environment”.
>
> Among all our customers who are interested in I2RS, majority of them
> (>90%) will deploy them in a closed environment, i.e. physically secured
> connection between I2RS agent and I2RS client. Therefore, it is important
> to “provides an analysis of the security issues of” of this commonly
> deployed environment.
>
> I suggest adding this Figure to Section 1 of the document:
>
> Closed  (over open Chnl ###>)          Open (over secure Chnl --->)
> +---------------------------------+
> |      ***********************   |      ***********************  |
> |       *    Application A    *   |      *    Application B    *  |
> |       *                     *   |      *                     *  |
> |       *  +----------------+ *   |      *  +----------------+ *  |
> |       *  |   Client A     | *   |      *  |   Client B     | *  |
> |       *  +----------------+ *   |      *  +----------------+ *  |
> |       ******* ^ *************   |      ***** ^ ****** ^ ******  |
> |               #                 |            |        |         |
> |               #                 |            |        |   |-----|
> |               #               |                     |   |
> |  ************ v * * * * ********|   ***************** v * v ********
> |  *  +---------------------+     |   *  +---------------------+     *
> |  *  |     Agent 1         |     |   *  |    Agent 2          |     *
> |  *  +---------------------+     |   *  +---------------------+     *
> |  *     ^        ^  ^   ^        |   *     ^        ^  ^   ^        *
>
>
>
> Just think about this fact: today’s router configuration in production
> environment can only be performed by a few authorized people with EMS/NMS
> physically and securely separated. If the majority of the I2RS environment
> requirement is about open connection, I2RS WG will spend a lot energy
> developing the very sophisticated protocols which is expensive to develop
> and harder to deploy.
>
> I am not against this development, but IMHO, to gain wider and quicker
> I2RS deployment in production environment, it is necessary to have a very
> *lean* I2RS solution first, and to have a well documented security
> requirement for the common deployment environment. E.g. a single Controller
> (or the I2RS client) directly connected to their devices via their internal
> network, where the connection is physically isolated from other network and
> protected by separate mechanisms. Also remember, many operators will use
> I2RS to control a small number of selective routers (mostly routers at
> ingress/egress boundary) for value added services.
>
>
>
> Some of my detailed questions and comments to the “security-requirements”
> are still applicable to the “environment-req” document because they have
> the same text. Plus a few more for the “environment-req” document. Hope the
> authors can address them.
>
>
> Section 3:
>
> What are the key differences with regard to the security requirements for
>  I2RS plane and for management plane?  Section 3.1 describes the
> interaction between I2RS plane and management plane. But I see the security
> requirement for the management plane are all applicable to the security
> requirement to I2RS plane . If you think that they are very different, can
> you elaborate more?
>
> Section 3.4 has title “Recommendations”, but the content are all
> requirements. Why not name the section “Requirement”?
>
> REQ 2: Does it that a different IP address than the one used by the
> management system?
>
> REQ 21: is more about I2RS requirement, less about “Security” requirement.
>
> REQ 24: isn’t it the general goal of I2RS? Not really security per se.
> (should be included in the general I2RS requirement or architecture).
>
>
> REQ 26: simply controlling the resource can hardly prevent DoS. Malicious
> client can occupy the resource while the valid one can't access.
>
> Thanks for your consideration,
> Linda
>
>
> -----Original Message-----
> From: i2rs [mailto:i2rs-bounces@ietf.org <i2rs-bounces@ietf.org>] On
> Behalf Of Joel M. Halpern
> Sent: Friday, August 21, 2015 12:20 PM
> To: Linda Dunbar; i2rs@ietf.org
> Cc: 'Jeffrey Haas'; daniel.migault@ericsson.com; 'Alia Atlas'
> Subject: Re: [i2rs] draft-mglt-i2rs-security-requirements-00 2 Week WG
> adoption call (8/17 to 8/31)
>
> Yes, one of the two last calls is for the environment document.
>
> Having a dedicated physical channel is one of the ways identified in the
> draft to provide the required isolation.
>
> While such an environment is clearly supportable, I do not think we should
> reduce the internal protocol requirements (such as MTI security for the
> control channel) just because there are circumstances where such it won't
> be needed.  I don't expect that we will build different protocol stacks for
> the different deployments.
>
> The purpose of this draft is to describe the environmental assumptions,
> which assumptions can be met in various ways.
>
> Yours,
> Joel
>
> On 8/21/15 12:56 PM, Linda Dunbar wrote:
> > Joel,
> >
> > If it is the "environmental one", it is more important to differentiate
> the requirements for different environments on how the I2RS client & Agent
> are connected.
> >
> > One of our customers stated that their environment has a single
> Controller (or the I2RS client) directly connected to their devices via
> their internal network, where the connection is physically isolated from
> other network and protected by separate mechanisms, they don't need all
> those sophisticated authentication procedure.
> >
> > We need to address this environment, i.e. having a simpler security
> requirement for this environment than the environment where I2RS Client is
> connected via public network.
> >
> > Linda
> >
> >
> > -----Original Message-----
> > From: Joel Halpern Direct [mailto:jmh.direct@joelhalpern.com
> <jmh.direct@joelhalpern.com>]
> > Sent: Friday, August 21, 2015 10:53 AM
> > To: Linda Dunbar; i2rs@ietf.org
> > Cc: 'Jeffrey Haas'; daniel.migault@ericsson.com; 'Joel Halpern'; 'Alia
> Atlas'
> > Subject: Re: [i2rs] draft-mglt-i2rs-security-requirements-00 2 Week WG
> > adoption call (8/17 to 8/31)
> >
> > First, there may be some confusion because the announcement.  I presume
> that you are talking about the -environments documents.
> >
> > If the WG concludes that a different chapter structure is useful, we can
> of course change it.  Given that the goal is environment description, I am
> not sure your proposed structure is significantly better than the existing
> one.
> >
> > I believe your comment about the text  reading "where security functions
> may be hosted" is well taken, and we should remove that text when we next
> revise the document.
> >
> > The isolation text is about the need to keep things separate, and the
> various possible means are degrees / approaches to separation.
> > Isolation is not about treating things differently, nor is it explicitly
> about using different protocols.  So the point of isolation is not that
> there are different security requirements, but that in order to avoid
> corss-effects, things should be kept separate.
> >
> > Yours,
> > Joel
> >
> > On 8/20/15 6:42 PM, Linda Dunbar wrote:
> >> I support the WG adoption because I think the I2RS WG needs it.
> >> However, I hope the authors can consider/address the following
> suggestions/comments:
> >>
> >> When you think about the I2RS security,  there are following
> >> different
> >> aspects:
> >>
> >> -Communication channel between I2RS client and Agent (and the channel
> >> between I2RS client and applications):
> >>
> >> The channel can be
> >>
> >> oVia physical Private network (e.g. within a secured direct connect
> >> within one site),
> >>
> >> owithin one administrative domain,  via virtual private network
> >>
> >> oSecured connection, such as TLS or IPSec
> >>
> >> oPublic internet
> >>
> >> o..
> >>
> >> -Authentication & Authorization
> >>
> >> othe authentication & authorization requirement for different
> >> communication channels can be different. Therefore, should have
> >> separate sections to address specific requirement  for each
> >> communication channels between I2RS agent <-> clients (and client <->
> >> applications)
> >>
> >> The current Section 4 of the draft already has very good description
> >> on the subject. I think 4.4.1 and 4.42 can be separated out of the
> section.
> >>
> >> -Encryption for the actual content between Client and Agent
> >>
> >> -DoS Design requirement (currently in Section 5.2.1)
> >>
> >> -Management of conflict with other plane (e.g. the management plane,
> >> multi-headed control, which has been discussed extensively in
> >> ephemeral
> >> draft)
> >>
> >> I think the draft should be organized from the aspects of the
> >> security to I2RS as suggested above.
> >>
> >> Here are some detailed questions and comments to the requirements
> >> listed in the document:
> >>
> >> Section 1:
> >>
> >> The second paragraph stated the security recommendations must
> >> "specifying where security functions may be hosted". First of all I
> >> don't see the draft address this aspect. Second, I think   "where
> >> security functions are hosted" is orthogonal to "I2RS security" .
> >>
> >> Section 3:
> >>
> >> what does isolating two planes mean? does it mean they have different
> >> security requirement/issues? Or does it mean they need different
> protocols?
> >>
> >> What are the key differences with regard to the security requirements
> >> for  I2RS plane and for management plane?  Section 3.1 describes the
> >> interaction between I2RS plane and management plane. But I see the
> >> security requirement for the management plane is similar to I2RS plane .
> >> If you think that they are very different, can you elaborate more?
> >>
> >> Section 3.4 has title "Recommendations", but the content are all
> >> requirements. Why not name the section "Requirement"?
> >>
> >> REQ 2: Does it that a different IP address than the one used by the
> >> management system?
> >>
> >> How is REQ 22 different from REQ 21?
> >>
> >> REQ 27 is hard to enforce. How about say something like "shouldn't
> >> send any information beyond what have been defined by the I2RS data
> model"?
> >>
> >> REQ 30: simply controlling the resource can hardly prevent DoS.
> >> Malicious client can occupy the resource while the valid one can't
> access.
> >>
> >> Thanks for consideration,
> >>
> >> Linda
> >>
> >> *From:*i2rs [mailto:i2rs-bounces@ietf.org <i2rs-bounces@ietf.org>] *On
> Behalf Of *Susan Hares
> >> *Sent:* Monday, August 17, 2015 12:50 PM
> >> *To:* i2rs@ietf.org
> >> *Cc:* 'Jeffrey Haas'; daniel.migault@ericsson.com; 'Joel Halpern';
> >> shares@ndzh.com; 'Alia Atlas'
> >> *Subject:* [i2rs] draft-mglt-i2rs-security-requirements-00 2 Week WG
> >> adoption call (8/17 to 8/31)
> >>
> >> This begins a 2 week WG adoption call for
> >> draft-mglt-i2rs-security-requirements.  This draft discusses the
> >> security requirements for the I2RS environment.  You can find the draft
> at:
> >>
> >> https://tools.ietf.org/html/draft-mglt-i2rs-security-environment-reqs
> >> -
> >> 00
> >>
> >> A security reviewer will review this draft during the time 8/20 to
> >> 8/25.   We will post the security directorate review to this discussion.
> >>
> >> Sue Hares
> >>
> >
>
> _______________________________________________
> i2rs mailing list
> i2rs@ietf.org
> https://www.ietf.org/mailman/listinfo/i2rs
>
>
> _______________________________________________
> i2rs mailing list
> i2rs@ietf.org
> https://www.ietf.org/mailman/listinfo/i2rs
>
>

v2.23.0 | Report a Bug | By Email